Tuesday, June 21, 2011

This is just notes taken for personal use on which options used in tcpdump command:

# sudo tcpdump -i en0 -vvv -K -n -s 0 -w ~/Desktop/DumpFile.dmp

or without -K option:

# sudo tcpdump -i en0 -vvv -n -s 0 -w ~/Desktop/DumpFile.dmp

If you want to stop it from capturing, just press control-c. And to view the file:

# sudo tcpdump -s 0 -n -e -x -vvv -r ~/Desktop/DumpFile.dmp

Here's options explanation using in command above:
-i interface
-vvv even more verbose output
-K don't attempt to verify TCP, UDP and IP checksums
-n don't convert addressed to names
-s snaplen settings. setting snaplen to 0 means use the required length to catch whole packets
-w write the raw packets to file rather than parsing and printing them out
-x when parsing and printing, in addition to printing header of each packet, print the data of each packet (minus its link level header) in hex
-r read packets from file